Method and apparatus for encrypting database columns

ABSTRACT

One embodiment of the present invention provides a system that facilitates encryption of data within a column of a database. The system operates by first receiving a command to perform a database operation. Next, the system parses the command to create a parse tree. The system then examines the parse tree to determine if a column referenced in the parse tree is an encrypted column. If a column referenced in the parse tree is an encrypted column, the system automatically transforms the command to include one or more cryptographic commands to facilitate accessing the encrypted column while performing the database operation.

RELATED APPLICATION

[0001] The subject matter of this application is related to the subjectmatter in a co-pending non-provisional application by Richard R. Wessmanentitled, “Method and Apparatus for Automatic Database Encryption,”having Ser. No. 09/680,599, and filing date 6 Oct. 2000 (Attorney DocketNo. OR00-03802).

BACKGROUND

[0002] 1. Field of the Invention

[0003] The present invention relates to database security. Morespecifically, the present invention relates to a method and an apparatusfor transparently encrypting and decrypting data on a column-by-columnbasis within a database.

[0004] 2. Related Art

[0005] Database security is an important feature in many databasesystems. In database systems, security is often achieved by encryptingdata within the database system. Currently, there are two primaryapproaches for encrypting data stored in a database system. The firstapproach can be characterized as “bulk encryption” and performscryptographic operations on entire database files. The second approachselectively applies cryptographic operations to specific sensitivecolumns within a database.

[0006] Bulk encryption typically entails encryption of the entiredatabase because sensitive data is not just stored inside a particulartable. Sensitive data may also appear in other database objects. Forexample, sensitive data may appear in an index, in change records ofundo and redo logs, and in temporary sorting areas. Since these databaseobjects are designed to be shared by the entire database system, it isnot practical to separate data within these database objects so thatsome data is encrypted and some is not.

[0007] While bulk encryption is relatively simple to implement and istransparent to an application accessing the database, there aresignificant drawbacks. Chief among these drawbacks is the systemperformance degradation. It takes a long time to encrypt or decrypt theentire database file. In such a system, a rekey operation can involvedecrypting and then re-encrypting the entire database file. Theseoperations can take a large amount of time, which makes this solutionunfit for large on-line transaction processing deployments. Also, thesecurity of the system can be compromised because database records areexposed in shared memory as plain text after the data records aredecrypted from the files.

[0008] The second approach limits the encryption to only those sensitivecolumns within the database, which can theoretically reduce the overheadinvolved in performing cryptographic operations. However, the systemscurrently available that use this approach suffer from some majordrawbacks. The encrypt and decrypt operations must be explicitly appliedto any references of the encrypted columns. For example, an applicationdesiring to issue a command to retrieve the credit card number of acustomer whose social security number is ‘123456789’ might issue thecommand:

[0009] select credit_card_number from tab where ssn=‘123456789’

[0010] However, if both of these columns are encrypted, the query mustbe modified to include the decryption commands, such as:

[0011] select decrypt(credit_card_number) from tab wheredecrypt(ssn)=‘123456789’

[0012] Note that the encrypt and decrypt functions must also provideinterfaces for selecting the cryptographic algorithm and the applicationmust provide key management.

[0013] Therefore, in this second approach the encryption and decryptionoperations are not transparent to application developers despite claimsto the contrary by database system vendors. When a sensitive column isaccessed, the encrypt or decrypt functions must explicitly be applied tothe column data. To make such runtime function execution transparent tothe user and secured, the application schema objects must besignificantly altered. For example, a table with sensitive columns mustbe turned into a view in order to hide the cryptographic functions. Thisalso means then that base object must be renamed because views andtables are in the same name space and cannot share a name. Triggers needto be created so that insert or update of the views will cause the datain the base table to be encrypted implicitly. Moreover, index support islimited because the server can build an index only with encrypted datawhich has lost its lexicographical order. This is so because encrypt anddecrypt operations cannot be integrated with the index processinglayers.

[0014] Hence, what is needed is a method and an apparatus fortransparently encrypting and decrypting data on a column-by-column basiswithin a database system.

SUMMARY

[0015] One embodiment of the present invention provides a system thatfacilitates encryption of data within a column of a database. The systemoperates by first receiving a command to perform a database operation.Next, the system parses the command to create a parse tree. The systemthen examines the parse tree to determine if a column referenced in theparse tree is an encrypted column. If a column referenced in the parsetree is an encrypted column, the system implicitly transforms the parsetree to include one or more cryptographic operations to facilitateaccessing the encrypted column while performing the database operation.

[0016] In a variation of this embodiment, if the database operationincludes a reference operation from the encrypted column, the systemtransforms the parse tree to decrypt data retrieved from the encryptedcolumn during the reference operation to provide clear text.

[0017] In a further variation, if the command includes an updateoperation to the encrypted column, the system transforms the parse treeto encrypt data being updated in the encrypted column during the updateoperation to place encrypted data in the database.

[0018] In a further variation, if a column referenced in the parse treeis encrypted, the system identifies a cryptographic key for the column.The key is recovered only once for all accesses to the column for eachcommand.

[0019] In a further variation, examining the parse tree involvesdetermining if the user command is an explicit request to encrypt apresently unencrypted column in the database. If so, the system encryptsthe column.

[0020] In a further variation, examining the parse tree involvesdetermining if the user command is an explicit request to change anencryption key for a column. If so, the system decrypts the column withthe current encryption key, and encrypts the column with a newencryption key.

[0021] In a further variation, examining the parse tree involvesdetermining if the user command is an explicit request to decrypt anencrypted column in the database. If so, the system decrypts the column.

[0022] In a further variation, examining the parse tree involvesdetermining if the user command is an explicit request to change anencryption algorithm for a column. If so, the system decrypts the columnwith a current encryption algorithm, and encrypts the column with a newencryption algorithm.

BRIEF DESCRIPTION OF THE FIGURES

[0023]FIG. 1 illustrates a database system in accordance with anembodiment of the present invention.

[0024]FIG. 2 illustrates a server in accordance with an embodiment ofthe present invention.

[0025]FIG. 3 presents a flowchart illustrating the process oftransforming a database query to include cryptographic operations inaccordance with an embodiment of the present invention.

[0026]FIG. 4A presents a parse tree without transformation in accordancewith an embodiment of the present invention.

[0027]FIG. 4B presents a transformed parse tree in accordance with anembodiment of the present invention.

[0028]FIG. 5 presents a flowchart illustrating the process of executinga command involving cryptography for a column in accordance with anembodiment of the present invention.

DETAILED DESCRIPTION

[0029] The following description is presented to enable any personskilled in the art to make and use the invention, and is provided in thecontext of a particular application and its requirements. Variousmodifications to the disclosed embodiments will be readily apparent tothose skilled in the art, and the general principles defined herein maybe applied to other embodiments and applications without departing fromthe spirit and scope of the present invention. Thus, the presentinvention is not intended to be limited to the embodiments shown, but isto be accorded the widest scope consistent with the principles andfeatures disclosed herein.

[0030] The data structures and code described in this detaileddescription are typically stored on a computer readable storage medium,which may be any device or medium that can store code and/or data foruse by a computer system. This includes, but is not limited to, magneticand optical storage devices such as disk drives, magnetic tape, CDs(compact discs) and DVDs (digital versatile discs or digital videodiscs), and computer instruction signals embodied in a transmissionmedium (with or without a carrier wave upon which the signals aremodulated). For example, the transmission medium may include acommunications network, such as the Internet.

[0031] Database System

[0032]FIG. 1 illustrates a database system in accordance with anembodiment of the present invention. The database system includes client102, server 104, and database 106. Client 102 can generally include anynode on a network including computational capability and may include amechanism for communicating across the network.

[0033] Server 104 can generally include any computational node includinga mechanism for servicing requests from a client for computationaland/or data storage resources. Server 104 communicates with one or moreclients and provides services to each client. This communication istypically across a network (not shown) such as the Internet or acorporate intranet. Server 104 may be implemented as a cluster ofservers acting in concert to supply computational and database services.

[0034] Database 106 can include any type of system for storing data innon-volatile storage. This includes, but is not limited to, systemsbased upon magnetic, optical, and magneto-optical storage devices, aswell as storage devices based on flash memory and/or battery-backed upmemory. Database 106 can be directly coupled to server 104 or can beaccessed across a network such as a corporate intranet or the Internet.

[0035] During operation, client 102 sends database commands to server104. These commands are typically in a database language such asstructured query language (SQL) and can include reference and updateoperations on database 106. If any of these reference or updateoperations include operations on encrypted columns, the operations areprocessed as described below in conjunction with FIGS. 2-5.

[0036] Server

[0037]FIG. 2 illustrates a server 104 in accordance with an embodimentof the present invention. Server 104 includes client interface 202,command parser 204, command transformer 206, cryptographic unit 208, anddatabase interface 210. Client interface 202 communicates with client102 to accept commands and to respond to commands from client 102. Thesecommands can include SQL commands for server 104, which operate ondatabase 106.

[0038] Command parser 204 parses the command into the individualelements (operands, operators, etc.) that comprise the command. Commandparsing is well known in the art and will not be discussed further inthis description.

[0039] Command transformer 206 examines the parsed elements of thecommand to locate any reference or update operations related toencrypted columns within database 106. Upon locating a reference orupdate operation related to an encrypted column, command transformer 206transforms the operation to include the necessary cryptographicoperations to access the encrypted column. These transforming operationsare described in detail in conjunction with FIGS. 4A and 4B below.

[0040] Cryptographic unit 208 performs cryptographic operations such askey management, encryption, and decryption. Any of a large number ofstandard key management systems can be used with this system. Encryptionand decryption can be performed using any acceptable algorithm, such asthe data encryption standard (DES), triple DES, or the advancedencryption standard (AES). Additionally, these encryption algorithms canbe combined with integrity techniques such as secure hash algorithm 1(SHA-1) or message digest 5 (MD5).

[0041] Database interface 210 includes mechanisms for accessing database106. These accessing operations can include retrieving data fromdatabase 106 and storing or updating data within database 106. Note thattransformation of a command and execution of the command may not happenin the same sequence of events. Execution of the command may happen at alater time.

[0042] Transforming Database Operations

[0043]FIG. 3 presents a flowchart illustrating the process oftransforming database operations to include cryptographic operations inaccordance with an embodiment of the present invention. The systemstarts when a command is received to perform a database operation (step302). Next, the system parses the command to create a parse tree (step304). The system then examines this parse tree to locate a referencedcolumns or expression associated with encrypted data (step 306).

[0044] After locating a referenced column, the system determines if thecolumn is encrypted (step 308). If so, the system transforms theoperation on this encrypted column to include cryptographic operations(step 310). Note that this transforming process is transparent to theuser.

[0045] If the column is not encrypted at step 308 or after transformingthe command to include cryptographic operations at step 310, the systemperforms the operations specified in the command thereby completing thecommand (step 312). Note that transformation of a command and executionof the command may not happen in the same sequence of events. Executionof the command may happen at a later time.

[0046] Parse Trees

[0047]FIG. 4A presents a parse tree without transformation in accordancewith an embodiment of the present invention. The system parses theentered command producing a parse tree. For example, the parse treepresented in FIG. 4A illustrates how the command:

UPDATE employee SET sal=1.01*sal;

[0048] is parsed. The operator “*” multiplies the left sub-tree (1.01)times the right sub-tree (sal) and returns the results to the databasein the “sal” column. This parse tree assumes that the “sal” column isnot encrypted.

[0049]FIG. 4B presents a transformed parse tree in accordance with anembodiment of the present invention. This parse tree assumes that thecolumn “sal” is encrypted. Again, the operator “*” multiplies its leftsub-tree times its right sub-tree. The right sub-tree, however, has beentransformed to include the decryption operator “DO.” The DO operatoruses the supplied parameters to decrypt the column in the left sub-tree(sal in this example). The parameters supplied to DO are the algorithmidentifier “alg_id” and the results of the “GK” operator. The “GK”operator is the get key operator which retrieves the column encryptionkey using the supplied parameters. The input parameters to the “GK”operator are the key management type, the master key identifier, and thecolumn key identifier.

[0050] After the DO has decrypted the “sal” column and the results havebeen multiplied by 1.01 by the “*” operator, the encryption operator“EO” encrypts the results and passes the results back to the databasefor storage in the “sal” column. The inputs to the EO operator are theresults of the “*” operator, the algorithm identifier “alg_id” and theresults of the “GK” operator. Note that since the key has not changed,the results of the “GK” operator for the decryption are shared with theEO for encryption. In fact, the “GK” operator is invoked only once toupdate the entire “sal” column.

[0051] Commands Involving Cryptography for a Referenced Column

[0052]FIG. 5 presents a flowchart illustrating the process of executinga command involving cryptography for a column in accordance with anembodiment of the present invention. The system starts when a command isreceived to perform a database operation (step 502). Next, the systemparses the command to create a parse tree (step 504). The system thenexamines this parse tree to determine if the command involvescryptography for a referenced column (step 506). If so, the systemperforms the cryptographic operation on the referenced column (step508).

[0053] As an example, if the command is a command to change theencryption key, such as:

[0054] ALTER TABLE employee MODIFY (ssn REKEY);

[0055] The system first updates the metadata for the column. The systemthen implicitly issues an update statement, which is transformed intothe following UPDATE statement for execution: UPDATE (employee SET ssn =ENCRYPT( DECRYPT(ssn,  k_algorithm_id, GET_KEY(key_mgn_type,master_key_id,  col_key_id)), k_algorithm_id, GET_KEY(key_mgn_type, master_key_id, new_col_key_id));

[0056] Overview

[0057] The present invention provides encryption of data at thegranularity of a column or column attribute (in the case of an Objectdatabase). This encryption is transparent to the applications thataccess the encrypted columns within the database.

[0058] Instead of relying on built-in or user defined encrypt anddecrypt functions, the secrecy of a column is supported as part of thecolumn properties. Like any other column properties, such as constraintsor data type, the cryptographic characteristics of the column can bedefined and altered at any time using data definition language (DDL)commands. The following are examples of typical administrative tasksthat define and alter encrypted column properties.

[0059] The sensitive data can be re-encrypted with a differentencryption algorithm using a statement such as:

[0060] ALTER TABLE employee MODIFY (ssn ENCRYPT USING ‘AES128’);

[0061] The system first updates the metadata for the column. The systemthen implicitly issues an update statement, which is transformed intothe following UPDATE statement for execution: UPDATE (employee SET ssn =ENCRYPT( DECRYPT(ssn,  k_algorithm_id, GET_KEY(key_mgn_type,master_key_id,  col_key_id)), AES128 GET_KEY(key_mgn_type, master_key_id, col_key_id));

[0062] Security requirements may require that the encryption key bechanged periodically. Changing the encryption key can be accomplished asdescribed in paragraph [0041].

[0063] If a decision is made to make the encrypted data available inplaintext instead, the following command can be used:

[0064] ALTER TABLE employee MODIFY (ssn DECRYPT);

[0065] The system first updates the metadata for the column. The systemthen implicitly issues an update statement, which is transformed intothe following UPDATE statement for execution: UPDATE (employee SET ssn =( DECRYPT(ssn,  k_algorithm_id, GET_KEY(key_mgn_type, master_key_id, col_key_id))));

[0066] A column can also be declared as encrypted when a table iscreated. The following DDL command gives an example of encrypting theSSN and salary fields of an employee table during creation of theemployee table:  CREATE TABLE(  name VARCHAR2(30),  employee_idNUMBER(10),  SSN NUMBER(9) ENCRYPT USING ‘DES3’ AND HASH   USING ‘MD5’, address VARCHAR2(256),  city VARCHAR2(80),  state VARCHAR2(80), zip-code VARCHAR2(10),  salary NUMBER(10) ENCRYPT,  date_of_birth DATE, title VARCHAR2(30) );

[0067] When a column is specified as encrypted, all data in that columnis encrypted with a column encryption key. This key is wrapped by one ormore master keys before being stored in the server's metadata table.Retrieval of the master keys depends upon the selected key managementscheme and the storage location of the master keys. This means that forany column cryptographic operation, the server must first find themaster key and then use the master key to decrypt the encrypted columnencryption key.

[0068] Runtime support of transparent cryptographic operations is basedon the introduction of three internal operators on the server. They are(1) column encryption key retrieval, (2) encrypt data, and (3) decryptdata.

[0069] The key retrieval operator has arguments to accept the columnencryption key identity, the master key identity, and the key managementtype. This operator returns the column encryption key in plain text.

[0070] The encrypt and decrypt operators have arguments for identifyingthe encrypted column data, the column encryption key, and the encryptionalgorithm identity. The key retrieval operator is separated from theencrypt/decrypt operators because it is desirable for the key retrievaloperator to be evaluated only once per statement execution.

[0071] At statement parse time, a decrypt operator can be implicitlyadded around column attributes, which will receive encrypted data fromthe server. After the transformation, a typical reference of a columnalone in an expression is equivalent to the following as if the decryptfunction was explicitly applied. DECRYPT (column, k_algorithm_id,GET_KEY(key_mgn_type,  master_key_id, col_key_id))

[0072] For expression values, which will be placed in the database asinserted or updated values, encrypt operators are added as in: ENCRYPT(expression, k_algorithm_id, GET_KEY(key_mgn_type,  master_key_id,col_key_id))

[0073] Note that the arguments to the DECRYPT and ENCRYPT commands,except for the encrypted column data, are known at parse time becausethese values are included in the metadata being maintained at the timeof a DDL command, which affects the encrypted column. These argumentsare part of the statement context in the shared memory. However, thesearguments reveal no sensitive information. The encryption key itself isretrieved only once at execution time and will appear only in the usersession's per-execution memory. The algorithm for key encryption can bea system-wide configurable parameter or an optional argument can beadded to the GET_KEY command.

[0074] At execution time, because of the implicit transformation on thestatement context as described above, the encrypted data is decryptedbefore an expression evaluation. The plain text is encrypted afterexpression evaluation for inserted and updated values going into thepersistent store. This also guarantees that the column's native datatype format is preserved during encryption and decryption. Therefore,existing implementations for expression evaluation are not affected.

[0075] For example, assume that the salary column “Sal” in the employeetable is encrypted. The following update statement for a pay raise:

UPDATE employee SET Sal=1.01*Sal WHERE empno=999999;

[0076] would actually be executed as: UPDATE (employee SET sal =ENCRYPT(1.01 * DECRYPT(sal,  k_algorithm_id, GET_KEY(key_mgn_type,master_key_id,  col_key_id)), k_algorithm_id GET_KEY(key_mgn_type, master_key_id, col_key_id)) WHERE empno = 999999);

[0077] The key retrieval operator is capable of supporting multiple keymanagement schemes where every master key or column encryption key hasits own identity, which is universally unique. Note that the columnencryption key protecting a particular column can have multiple copies,with each copy being wrapped by a different master key.

[0078] The following is an example showing the flexibility of thesystem. Assume that the system has a key management type identified bythe variable “SERVER_HELD.” In this scheme, all of the column encryptionkeys are wrapped by a single master key kept in the server's wallet. Theadministrator may use the wallet manager to generate any number ofmaster keys. The server, however, will pick only one for the databasewhen a SQL command such as:

[0079] ALTER DATABASE MASTER KEY my db_ms_key;

[0080] is issued.

[0081] Hence, the my db ms key is the key's external name. The serveralso creates a universally unique identity associated with the key. Theserver remembers only the current master key identity, while the keyitself remains in the wallet. The adoption of a master key may also takeplace at database creation time because the wallet manager is not partof the database. Note that the above command also entails a re-key ofall the column encryption keys in the database. The encrypted columndata is not affected, however.

[0082] When the server generates a new column encryption key or replacesan old column encryption key as a result of one of the DDLs which managethe encrypted column, the column encryption key is wrapped by the servermaster key. The column encryption key ID, the master key ID, and theencrypted column key information are used as parameters for the keyretrieval operator GET_KEY as described above. Based on the“SERVER_HELD” key management type, the operator is able to find theserver master key in the wallet through the wallet applicationprogramming interface (API) and thereby recover the plain text columnencryption key used for both encrypt and decrypt operations.

[0083] Clearly, the logic of the key retrieval operator is driven by thekey management type. The key retrieval always sees the column encryptionkey identity and the master key identity. New key management schemes caneasily be plugged into the system without affecting the implementationof the transparent data conversion between clear text and cipher text.With these universally unique identities, the keys can be storedanywhere as long as the operator can find them at runtime. DDL commandsmay need to be enhanced or new DDL commands may need to be added tosupport different key management types.

[0084] The foregoing descriptions of embodiments of the presentinvention have been presented for purposes of illustration anddescription only. They are not intended to be exhaustive or to limit thepresent invention to the forms disclosed. Accordingly, manymodifications and variations will be apparent to practitioners skilledin the art. Additionally, the above disclosure is not intended to limitthe present invention. The scope of the present invention is defined bythe appended claims.

What is claimed is:
 1. A method for facilitating encryption of datawithin a column of a database, comprising: receiving a command toperform a database operation; parsing the command to create a parsetree; examining the parse tree to determine if a column referenced inthe parse tree is an encrypted column; and if so, automaticallytransforming the command to include one or more cryptographic commandsto facilitate accessing the encrypted column while performing thedatabase operation.
 2. The method of claim 1, wherein if the databaseoperation includes a reference operation from the encrypted column, themethod further comprises transforming the database operation to decryptdata retrieved from the encrypted column during the reference operation.3. The method of claim 1, wherein if the command includes an updateoperation to the encrypted column, the method further comprisestransforming the update operation to encrypt data being updated in theencrypted column during the update operation.
 4. The method of claim 1,wherein if a column is encrypted the method further comprisesidentifying a cryptographic key for the column.
 5. The method of claim1, wherein examining the parse tree further comprises: determining ifthe command includes an explicit command to encrypt the column in thedatabase; and if so, encrypting the column.
 6. The method of claim 1,wherein examining the parse tree further comprises: determining if thecommand includes an operation to change an encryption key for thecolumn; and if so, decrypting the column with a current encryption key,and encrypting the column with a new encryption key.
 7. The method ofclaim 1, wherein examining the parse tree further comprises: determiningif the command includes an explicit command to decrypt the column in thedatabase; and if so, decrypting the column.
 8. The method of claim 1,wherein examining the parse tree further comprises: determining if thecommand includes an explicit command to change an encryption algorithmfor the column; and if so, decrypting the column using a previousencryption algorithm, and encrypting the column using a new encryptionalgorithm.
 9. A computer-readable storage medium storing instructionsthat when executed by a computer cause the computer to perform a methodfor facilitating encryption of data within a column of a database, themethod comprising: receiving a command to perform a database operation;parsing the command to create a parse tree; examining the parse tree todetermine if a column referenced in the parse tree is an encryptedcolumn; and if so, automatically transforming the command to include oneor more cryptographic commands to facilitate accessing the encryptedcolumn while performing the database operation.
 10. Thecomputer-readable storage medium of claim 9, wherein if the databaseoperation includes a reference operation from the encrypted column, themethod further comprises transforming the database operation to decryptdata retrieved from the encrypted column during the reference operation.11. The computer-readable storage medium of claim 9, wherein if thecommand includes an update operation to the encrypted column, the methodfurther comprises transforming the update operation to encrypt databeing updated in the encrypted column during the update operation. 12.The computer-readable storage medium of claim 9, wherein if a column isencrypted the method further comprises identifying a cryptographic keyfor the column.
 13. The computer-readable storage medium of claim 9,wherein examining the parse tree further comprises: determining if thecommand includes an operation to encrypt the column in the database; andif so, encrypting the column.
 14. The computer-readable storage mediumof claim 9, wherein examining the parse tree further comprises:determining if the command includes an explicit command to change anencryption key for the column; and if so, decrypting the column with acurrent encryption key, and encrypting the column with a new encryptionkey.
 15. The computer-readable storage medium of claim 9, whereinexamining the parse tree further comprises: determining if the commandincludes an explicit command to decrypt the column in the database; andif so, decrypting the column.
 16. The computer-readable storage mediumof claim 9, wherein examining the parse tree further comprises:determining if the command includes an explicit command to change anencryption algorithm for the column; and if so, decrypting the columnusing a previous encryption algorithm, and encrypting the column using anew encryption algorithm.
 17. An apparatus for facilitating encryptionof data within a column of a database, comprising: a receiving mechanismconfigured to receive a command to perform a database operation; aparsing mechanism configured to parse the command to create a parsetree; an examining mechanism configured to examine the parse tree todetermine if a column referenced in the parse tree is an encryptedcolumn; and a transforming mechanism configured to automaticallytransform the command to include one or more cryptographic commands tofacilitate accessing the encrypted column while performing the databaseoperation.
 18. The apparatus of claim 17, wherein the transformingmechanism is further configured to transform the database operation todecrypt data retrieved from the encrypted column during a referenceoperation if the database operation includes the reference operationfrom the encrypted column.
 19. The apparatus of claim 17, wherein thetransforming mechanism is further configured to transform the databaseoperation to encrypt data being updated in the encrypted column duringan update operation if the database operation includes the updateoperation to the encrypted column.
 20. The apparatus of claim 17,further comprising an identifying mechanism configured to identify acryptographic key for a column if the column is encrypted.
 21. Theapparatus of claim 17, further comprising: a determining mechanismconfigured to determine if the command includes an explicit command toencrypt the column in the database; and an encrypting mechanismconfigured to encrypt the column if the command includes the explicitcommand to encrypt the column in the database.
 22. The apparatus ofclaim 17, further comprising: a determining mechanism configured todetermine if the command includes an operation to change an encryptionkey for the column; a decrypting mechanism configured to decrypt thecolumn with a current encryption key; and an encrypting mechanismconfigured to encrypt the column with a new encryption key.
 23. Theapparatus of claim 17, further comprising: a determining mechanismconfigured to determine if the command includes an explicit command todecrypt the column in the database; and a decrypting mechanismconfigured to decrypt the column if the command includes the explicitcommand to decrypt the column in the database.
 24. The apparatus ofclaim 17, further comprising: a determining mechanism configured todetermine if the command includes an operation to change an encryptionalgorithm for the column; a decrypting mechanism configured to decryptthe column with a current encryption algorithm; and an encryptingmechanism configured to encrypt the column with a new encryptionalgorithm.